Docs / API Reference / Authentication
Authentication
Every LocalLeads API request must include a valid API key. Keys are passed as a Bearer token in the Authorization header — no sessions, cookies, or OAuth flows required.
Getting an API Key
- Open Settings → Security → API Keys.
- Click New key, give it a name, and set an optional expiry.
- Copy the full key — it is shown once only.
- Store it in an environment variable, not in source code.
Key Format
All API keys start with the prefix ll_ followed by 64 lowercase hex characters (256 bits of entropy). Example:
ll_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2The dashboard shows the first 12 characters as a visual identifier (ll_a1b2c3d4e5…). The full key is never stored server-side — only its SHA-256 hash is kept.
Using the Key in Requests
Pass the key in the Authorization header on every request:
Authorization: Bearer ll_your_api_key_herecurl https://leadsapi.postorbit.io/api/v1/credits/balance \
-H "Authorization: Bearer $LOCALLEADS_API_KEY"LOCALLEADS_API_KEY) and read it at runtime. Never interpolate it directly into code that ships to version control.Auth Errors
An unauthenticated or invalid request returns 401 Unauthorized:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Invalid or expired token"
}Common causes:
- The
Authorizationheader is missing entirely. - The key has been revoked from the dashboard.
- The key has passed its optional expiry date.
- The key was typed incorrectly — check for extra whitespace.
Key Expiry
Keys can be created with an optional expiry date. Once expired, they return 401 immediately. Non-expiring keys remain valid until explicitly revoked. The expiry date appears in the key list in the dashboard.